2016-08-13 03:42:53 +02:00
|
|
|
/* global describe, it */
|
|
|
|
|
|
|
|
var assert = require('assert')
|
|
|
|
var bigi = require('bigi')
|
|
|
|
var bitcoin = require('../../')
|
|
|
|
|
|
|
|
var ecurve = require('ecurve')
|
|
|
|
var secp256k1 = ecurve.getCurveByName('secp256k1')
|
2016-08-17 05:06:31 +02:00
|
|
|
var G = secp256k1.G
|
|
|
|
var n = secp256k1.n
|
|
|
|
|
2016-12-10 05:01:41 +01:00
|
|
|
// vG = (dG \+ sha256(e * dG)G)
|
2016-08-17 05:06:31 +02:00
|
|
|
function stealthSend (e, Q) {
|
|
|
|
var eQ = Q.multiply(e) // shared secret
|
|
|
|
var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
|
|
|
|
var cG = G.multiply(c)
|
2016-10-05 02:05:28 +02:00
|
|
|
var vG = new bitcoin.ECPair(null, Q.add(cG))
|
2016-08-17 05:06:31 +02:00
|
|
|
|
2016-10-05 02:05:28 +02:00
|
|
|
return vG
|
2016-08-17 05:06:31 +02:00
|
|
|
}
|
|
|
|
|
2016-12-10 02:34:06 +01:00
|
|
|
// v = (d + sha256(eG * d))
|
2016-08-17 05:06:31 +02:00
|
|
|
function stealthReceive (d, eG) {
|
|
|
|
var eQ = eG.multiply(d) // shared secret
|
|
|
|
var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
|
2016-10-05 02:05:28 +02:00
|
|
|
var v = new bitcoin.ECPair(d.add(c).mod(n))
|
2016-08-17 05:06:31 +02:00
|
|
|
|
2016-10-05 02:05:28 +02:00
|
|
|
return v
|
2016-08-17 05:06:31 +02:00
|
|
|
}
|
2016-08-13 03:42:53 +02:00
|
|
|
|
2016-12-10 02:34:06 +01:00
|
|
|
// d = (v - sha256(e * dG))
|
|
|
|
function stealthRecoverLeaked (v, e, Q) {
|
2016-11-25 03:42:17 +01:00
|
|
|
var eQ = Q.multiply(e) // shared secret
|
|
|
|
var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
|
2016-12-10 02:34:06 +01:00
|
|
|
var d = new bitcoin.ECPair(v.subtract(c).mod(n))
|
2016-11-25 03:42:17 +01:00
|
|
|
|
2016-12-10 02:34:06 +01:00
|
|
|
return d
|
2016-11-25 03:42:17 +01:00
|
|
|
}
|
|
|
|
|
2016-12-10 05:01:41 +01:00
|
|
|
// vG = (rG \+ sha256(e * dG)G)
|
2016-12-10 03:52:08 +01:00
|
|
|
function stealthDualSend (e, R, Q) {
|
|
|
|
var eQ = Q.multiply(e) // shared secret
|
|
|
|
var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
|
|
|
|
var cG = G.multiply(c)
|
2016-12-10 04:33:51 +01:00
|
|
|
var vG = new bitcoin.ECPair(null, R.add(cG))
|
2016-12-10 03:52:08 +01:00
|
|
|
|
|
|
|
return vG
|
|
|
|
}
|
|
|
|
|
2016-12-10 05:01:41 +01:00
|
|
|
// vG = (rG \+ sha256(eG * d)G)
|
2016-12-10 03:52:08 +01:00
|
|
|
function stealthDualScan (d, R, eG) {
|
|
|
|
var eQ = eG.multiply(d) // shared secret
|
|
|
|
var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
|
2017-03-28 11:26:59 +02:00
|
|
|
var cG = G.multiply(c)
|
|
|
|
var vG = new bitcoin.ECPair(null, R.add(cG))
|
2016-12-10 03:52:08 +01:00
|
|
|
|
|
|
|
return vG
|
|
|
|
}
|
|
|
|
|
2016-12-10 04:33:51 +01:00
|
|
|
// v = (r + sha256(eG * d))
|
2016-12-10 03:52:08 +01:00
|
|
|
function stealthDualReceive (d, r, eG) {
|
|
|
|
var eQ = eG.multiply(d) // shared secret
|
|
|
|
var c = bigi.fromBuffer(bitcoin.crypto.sha256(eQ.getEncoded()))
|
2016-12-10 04:33:51 +01:00
|
|
|
var v = new bitcoin.ECPair(r.add(c).mod(n))
|
2016-12-10 03:52:08 +01:00
|
|
|
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
|
2016-08-13 03:42:53 +02:00
|
|
|
describe('bitcoinjs-lib (crypto)', function () {
|
|
|
|
it('can generate a single-key stealth address', function () {
|
2016-08-17 05:06:31 +02:00
|
|
|
// XXX: should be randomly generated, see next test for example
|
|
|
|
var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient
|
|
|
|
var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender
|
|
|
|
|
|
|
|
// ... recipient reveals public key (recipient.Q) to sender
|
|
|
|
var forSender = stealthSend(nonce.d, recipient.Q)
|
|
|
|
assert.equal(forSender.getAddress(), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')
|
|
|
|
assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... sender reveals nonce public key (nonce.Q) to recipient
|
|
|
|
var forRecipient = stealthReceive(recipient.d, nonce.Q)
|
|
|
|
assert.equal(forRecipient.getAddress(), '1CcZWwCpACJL3AxqoDbwEt4JgDFuTHUspE')
|
|
|
|
assert.equal(forRecipient.toWIF(), 'L1yjUN3oYyCXV3LcsBrmxCNTa62bZKWCybxVJMvqjMmmfDE8yk7n')
|
|
|
|
|
|
|
|
// sender and recipient, both derived same address
|
|
|
|
assert.equal(forSender.getAddress(), forRecipient.getAddress())
|
|
|
|
})
|
|
|
|
|
|
|
|
it('can generate a single-key stealth address (randomly)', function () {
|
|
|
|
var recipient = bitcoin.ECPair.makeRandom() // private to recipient
|
|
|
|
var nonce = bitcoin.ECPair.makeRandom() // private to sender
|
|
|
|
|
|
|
|
// ... recipient reveals public key (recipient.Q) to sender
|
|
|
|
var forSender = stealthSend(nonce.d, recipient.Q)
|
|
|
|
assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... sender reveals nonce public key (nonce.Q) to recipient
|
|
|
|
var forRecipient = stealthReceive(recipient.d, nonce.Q)
|
|
|
|
assert.doesNotThrow(function () { forRecipient.toWIF() })
|
|
|
|
|
|
|
|
// sender and recipient, both derived same address
|
|
|
|
assert.equal(forSender.getAddress(), forRecipient.getAddress())
|
2016-08-13 03:42:53 +02:00
|
|
|
})
|
|
|
|
|
2016-11-25 03:42:17 +01:00
|
|
|
it('can recover parent recipient.d, if a derived private key is leaked [and nonce was revealed]', function () {
|
|
|
|
var recipient = bitcoin.ECPair.makeRandom() // private to recipient
|
|
|
|
var nonce = bitcoin.ECPair.makeRandom() // private to sender
|
|
|
|
|
|
|
|
// ... recipient reveals public key (recipient.Q) to sender
|
|
|
|
var forSender = stealthSend(nonce.d, recipient.Q)
|
|
|
|
assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... sender reveals nonce public key (nonce.Q) to recipient
|
|
|
|
var forRecipient = stealthReceive(recipient.d, nonce.Q)
|
|
|
|
assert.doesNotThrow(function () { forRecipient.toWIF() })
|
|
|
|
|
|
|
|
// ... recipient accidentally leaks forRecipient.d on the blockchain
|
|
|
|
var leaked = stealthRecoverLeaked(forRecipient.d, nonce.d, recipient.Q)
|
|
|
|
assert.equal(leaked.toWIF(), recipient.toWIF())
|
|
|
|
})
|
|
|
|
|
2016-12-10 04:37:14 +01:00
|
|
|
it('can generate a dual-key stealth address', function () {
|
2016-12-10 03:52:08 +01:00
|
|
|
// XXX: should be randomly generated, see next test for example
|
|
|
|
var recipient = bitcoin.ECPair.fromWIF('5KYZdUEo39z3FPrtuX2QbbwGnNP5zTd7yyr2SC1j299sBCnWjss') // private to recipient
|
|
|
|
var scan = bitcoin.ECPair.fromWIF('L5DkCk3xLLoGKncqKsWQTdaPSR4V8gzc14WVghysQGkdryRudjBM') // private to scanner/recipient
|
|
|
|
var nonce = bitcoin.ECPair.fromWIF('KxVqB96pxbw1pokzQrZkQbLfVBjjHFfp2mFfEp8wuEyGenLFJhM9') // private to sender
|
|
|
|
|
|
|
|
// ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender
|
|
|
|
var forSender = stealthDualSend(nonce.d, recipient.Q, scan.Q)
|
|
|
|
assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... sender reveals nonce public key (nonce.Q) to scanner
|
|
|
|
var forScanner = stealthDualScan(scan.d, recipient.Q, nonce.Q)
|
|
|
|
assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient
|
|
|
|
var forRecipient = stealthDualReceive(scan.d, recipient.d, nonce.Q)
|
|
|
|
assert.doesNotThrow(function () { forRecipient.toWIF() })
|
|
|
|
|
|
|
|
// scanner, sender and recipient, all derived same address
|
|
|
|
assert.equal(forSender.getAddress(), forScanner.getAddress())
|
|
|
|
assert.equal(forSender.getAddress(), forRecipient.getAddress())
|
|
|
|
})
|
2016-12-10 04:37:14 +01:00
|
|
|
|
|
|
|
it('can generate a dual-key stealth address (randomly)', function () {
|
|
|
|
var recipient = bitcoin.ECPair.makeRandom() // private to recipient
|
|
|
|
var scan = bitcoin.ECPair.makeRandom() // private to scanner/recipient
|
|
|
|
var nonce = bitcoin.ECPair.makeRandom() // private to sender
|
|
|
|
|
|
|
|
// ... recipient reveals public key(s) (recipient.Q, scan.Q) to sender
|
|
|
|
var forSender = stealthDualSend(nonce.d, recipient.Q, scan.Q)
|
|
|
|
assert.throws(function () { forSender.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... sender reveals nonce public key (nonce.Q) to scanner
|
|
|
|
var forScanner = stealthDualScan(scan.d, recipient.Q, nonce.Q)
|
|
|
|
assert.throws(function () { forScanner.toWIF() }, /Error: Missing private key/)
|
|
|
|
|
|
|
|
// ... scanner reveals relevant transaction + nonce public key (nonce.Q) to recipient
|
|
|
|
var forRecipient = stealthDualReceive(scan.d, recipient.d, nonce.Q)
|
|
|
|
assert.doesNotThrow(function () { forRecipient.toWIF() })
|
|
|
|
|
|
|
|
// scanner, sender and recipient, all derived same address
|
|
|
|
assert.equal(forSender.getAddress(), forScanner.getAddress())
|
|
|
|
assert.equal(forSender.getAddress(), forRecipient.getAddress())
|
|
|
|
})
|
2016-08-13 03:42:53 +02:00
|
|
|
})
|